Access POST params from the ServerRequest class

Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
author: Maurício Meneghini Fauth <mauricio@fauth.dev> 2021-09-01 18:52:59 +0300
committer: Maurício Meneghini Fauth <mauricio@fauth.dev> 2021-09-01 18:52:59 +0300
commit: e5e7bd2f95911b92ebdf1a7e357a4477f360e891 (patch)
tree: eae5a597e039307bd47b4eac165a036dbff2981d
parent: 4c6061a04ec94ab9eb89040db8495fa3555e534b (diff)
7 files changed, 131 insertions, 117 deletions
diff --git a/libraries/classes/Controllers/ExportController.php b/libraries/classes/Controllers/ExportController.php
index 405c5b522a..25f2f1be62 100644
--- a/libraries/classes/Controllers/ExportController.php
+++ b/libraries/classes/Controllers/ExportController.php
@@ -9,6 +9,7 @@ use PhpMyAdmin\Core;
 use PhpMyAdmin\Encoding;
 use PhpMyAdmin\Exceptions\ExportException;
 use PhpMyAdmin\Export;
+use PhpMyAdmin\Http\ServerRequest;
 use PhpMyAdmin\Message;
 use PhpMyAdmin\Plugins;
 use PhpMyAdmin\Plugins\ExportPlugin;
@@ -55,7 +56,7 @@ final class ExportController extends AbstractController
         $this->relation = $relation;
     }
 
-    public function index(): void
+    public function __invoke(ServerRequest $request): void
     {
         global $containerBuilder, $db, $export_type, $filename_template, $sql_query, $errorUrl, $message;
         global $compression, $crlf, $asfile, $buffer_needed, $save_on_server, $file_handle, $separate_files;
@@ -66,6 +67,28 @@ final class ExportController extends AbstractController
         global $active_page, $do_relation, $do_comments, $do_mime, $do_dates, $whatStrucOrData, $db_select;
         global $table_structure, $table_data, $lock_tables, $allrows, $limit_to, $limit_from;
 
+        /** @var array<string, string> $postParams */
+        $postParams = $request->getParsedBody();
+
+        /** @var string $whatParam */
+        $whatParam = $request->getParsedBodyParam('what', '');
+        /** @var string|null $quickOrCustom */
+        $quickOrCustom = $request->getParsedBodyParam('quick_or_custom');
+        /** @var string|null $outputFormat */
+        $outputFormat = $request->getParsedBodyParam('output_format');
+        /** @var string $compressionParam */
+        $compressionParam = $request->getParsedBodyParam('compression', '');
+        /** @var string|null $asSeparateFiles */
+        $asSeparateFiles = $request->getParsedBodyParam('as_separate_files');
+        /** @var string|null $quickExportOnServer */
+        $quickExportOnServer = $request->getParsedBodyParam('quick_export_onserver');
+        /** @var string|null $onServerParam */
+        $onServerParam = $request->getParsedBodyParam('onserver');
+        /** @var array|null $aliasesParam */
+        $aliasesParam = $request->getParsedBodyParam('aliases');
+        /** @var string|null $structureOrDataForced */
+        $structureOrDataForced = $request->getParsedBodyParam('structure_or_data_forced');
+
         $this->addScriptFiles(['export_output.js']);
 
         /**
@@ -77,7 +100,7 @@ final class ExportController extends AbstractController
          * TODO: this should be removed to avoid passing user input to GLOBALS
          * without checking
          */
-        $post_params = [
+        $allowedPostParams = [
             'db',
             'table',
             'what',
@@ -198,18 +221,18 @@ final class ExportController extends AbstractController
             'aliases',
         ];
 
-        foreach ($post_params as $one_post_param) {
-            if (! isset($_POST[$one_post_param])) {
+        foreach ($allowedPostParams as $param) {
+            if (! isset($postParams[$param])) {
                 continue;
             }
 
-            $GLOBALS[$one_post_param] = $_POST[$one_post_param];
+            $GLOBALS[$param] = $postParams[$param];
         }
 
         Util::checkParameters(['what', 'export_type']);
 
         // sanitize this parameter which will be used below in a file inclusion
-        $what = Core::securePath($_POST['what']);
+        $what = Core::securePath($whatParam);
 
         // export class instance, not array of properties, as before
         /** @var ExportPlugin $export_plugin */
@@ -251,45 +274,33 @@ final class ExportController extends AbstractController
         $separate_files = '';
 
         // Is it a quick or custom export?
-        if (
-            isset($_POST['quick_or_custom'])
-            && $_POST['quick_or_custom'] === 'quick'
-        ) {
+        if ($quickOrCustom === 'quick') {
             $quick_export = true;
         } else {
             $quick_export = false;
         }
 
-        if (isset($_POST['output_format']) && $_POST['output_format'] === 'astext') {
+        if ($outputFormat === 'astext') {
             $asfile = false;
         } else {
             $asfile = true;
-            $selectedCompression = $_POST['compression'] ?? '';
-            if (
-                isset($_POST['as_separate_files'])
-                && ! empty($_POST['as_separate_files'])
-            ) {
-                if (
-                    ! empty($selectedCompression)
-                    && $selectedCompression === 'zip'
-                ) {
-                    $separate_files = $_POST['as_separate_files'];
-                }
+            if ($asSeparateFiles && $compressionParam === 'zip') {
+                $separate_files = $asSeparateFiles;
             }
 
-            if (in_array($selectedCompression, $compression_methods)) {
-                $compression = $selectedCompression;
+            if (in_array($compressionParam, $compression_methods)) {
+                $compression = $compressionParam;
                 $buffer_needed = true;
             }
 
             if (
-                ($quick_export && ! empty($_POST['quick_export_onserver']))
-                || (! $quick_export && ! empty($_POST['onserver']))
+                ($quick_export && ! empty($quickExportOnServer))
+                || (! $quick_export && ! empty($onServerParam))
             ) {
                 if ($quick_export) {
-                    $onserver = $_POST['quick_export_onserver'];
+                    $onserver = $quickExportOnServer;
                 } else {
-                    $onserver = $_POST['onserver'];
+                    $onserver = $onServerParam;
                 }
 
                 // Will we save dump on server?
@@ -301,7 +312,7 @@ final class ExportController extends AbstractController
          * If we are sending the export file (as opposed to just displaying it
          * as text), we have to bypass the usual PhpMyAdmin\Response mechanism
          */
-        if (isset($_POST['output_format']) && $_POST['output_format'] === 'sendit' && ! $save_on_server) {
+        if ($outputFormat === 'sendit' && ! $save_on_server) {
             $this->response->disable();
             //Disable all active buffers (see: ob_get_status(true) at this point)
             do {
@@ -348,9 +359,9 @@ final class ExportController extends AbstractController
             $aliases = Misc::getAliases($parser->statements[0], $db);
         }
 
-        if (! empty($_POST['aliases'])) {
-            $aliases = $this->export->mergeAliases($aliases, $_POST['aliases']);
-            $_SESSION['tmpval']['aliases'] = $_POST['aliases'];
+        if (! empty($aliasesParam)) {
+            $aliases = $this->export->mergeAliases($aliases, $aliasesParam);
+            $_SESSION['tmpval']['aliases'] = $aliasesParam;
         }
 
         /**
@@ -531,7 +542,7 @@ final class ExportController extends AbstractController
                     $table_data = [];
                 }
 
-                if (! empty($_POST['structure_or_data_forced'])) {
+                if ($structureOrDataForced) {
                     $table_structure = $tables;
                     $table_data = $tables;
                 }
diff --git a/libraries/classes/Controllers/ExportTemplateController.php b/libraries/classes/Controllers/ExportTemplateController.php
index 45bb9e21ab..3764c0fd40 100644
--- a/libraries/classes/Controllers/ExportTemplateController.php
+++ b/libraries/classes/Controllers/ExportTemplateController.php
@@ -6,6 +6,7 @@ namespace PhpMyAdmin\Controllers;
 
 use PhpMyAdmin\Export\Template as ExportTemplate;
 use PhpMyAdmin\Export\TemplateModel;
+use PhpMyAdmin\Http\ServerRequest;
 use PhpMyAdmin\Relation;
 use PhpMyAdmin\ResponseRenderer;
 use PhpMyAdmin\Template;
@@ -35,10 +36,19 @@ final class ExportTemplateController extends AbstractController
         $this->relation = $relation;
     }
 
-    public function create(): void
+    public function create(ServerRequest $request): void
     {
         global $cfg;
 
+        /** @var string $exportType */
+        $exportType = $request->getParsedBodyParam('exportType', '');
+        /** @var string $templateName */
+        $templateName = $request->getParsedBodyParam('templateName', '');
+        /** @var string $templateData */
+        $templateData = $request->getParsedBodyParam('templateData', '');
+        /** @var string|null $templateId */
+        $templateId = $request->getParsedBodyParam('template_id');
+
         $cfgRelation = $this->relation->getRelationsParam();
 
         if (! $cfgRelation['exporttemplateswork']) {
@@ -47,9 +57,9 @@ final class ExportTemplateController extends AbstractController
 
         $template = ExportTemplate::fromArray([
             'username' => $cfg['Server']['user'],
-            'exportType' => $_POST['exportType'] ?? '',
-            'name' => $_POST['templateName'] ?? '',
-            'data' => $_POST['templateData'] ?? '',
+            'exportType' => $exportType,
+            'name' => $templateName,
+            'data' => $templateData,
         ]);
         $result = $this->model->create($cfgRelation['db'], $cfgRelation['export_templates'], $template);
 
@@ -72,15 +82,16 @@ final class ExportTemplateController extends AbstractController
             'data',
             $this->template->render('export/template_options', [
                 'templates' => is_array($templates) ? $templates : [],
-                'selected_template' => $_POST['template_id'] ?? null,
+                'selected_template' => $templateId,
             ])
         );
     }
 
-    public function delete(): void
+    public function delete(ServerRequest $request): void
     {
         global $cfg;
 
+        $templateId = (int) $request->getParsedBodyParam('templateId');
         $cfgRelation = $this->relation->getRelationsParam();
 
         if (! $cfgRelation['exporttemplateswork']) {
@@ -91,7 +102,7 @@ final class ExportTemplateController extends AbstractController
             $cfgRelation['db'],
             $cfgRelation['export_templates'],
             $cfg['Server']['user'],
-            (int) $_POST['templateId']
+            $templateId
         );
 
         if (is_string($result)) {
@@ -104,10 +115,11 @@ final class ExportTemplateController extends AbstractController
         $this->response->setRequestStatus(true);
     }
 
-    public function load(): void
+    public function load(ServerRequest $request): void
     {
         global $cfg;
 
+        $templateId = (int) $request->getParsedBodyParam('templateId');
         $cfgRelation = $this->relation->getRelationsParam();
 
         if (! $cfgRelation['exporttemplateswork']) {
@@ -118,7 +130,7 @@ final class ExportTemplateController extends AbstractController
             $cfgRelation['db'],
             $cfgRelation['export_templates'],
             $cfg['Server']['user'],
-            (int) $_POST['templateId']
+            $templateId
         );
 
         if (! $template instanceof ExportTemplate) {
@@ -132,10 +144,13 @@ final class ExportTemplateController extends AbstractController
         $this->response->addJSON('data', $template->getData());
     }
 
-    public function update(): void
+    public function update(ServerRequest $request): void
     {
         global $cfg;
 
+        $templateId = (int) $request->getParsedBodyParam('templateId');
+        /** @var string $templateData */
+        $templateData = $request->getParsedBodyParam('templateData', '');
         $cfgRelation = $this->relation->getRelationsParam();
 
         if (! $cfgRelation['exporttemplateswork']) {
@@ -143,9 +158,9 @@ final class ExportTemplateController extends AbstractController
         }
 
         $template = ExportTemplate::fromArray([
-            'id' => (int) $_POST['templateId'],
+            'id' => $templateId,
             'username' => $cfg['Server']['user'],
-            'data' => $_POST['templateData'],
+            'data' => $templateData,
         ]);
         $result = $this->model->update($cfgRelation['db'], $cfgRelation['export_templates'], $template);
 
diff --git a/libraries/classes/Controllers/GisDataEditorController.php b/libraries/classes/Controllers/GisDataEditorController.php
index 5ee78c368a..62898731e4 100644
--- a/libraries/classes/Controllers/GisDataEditorController.php
+++ b/libraries/classes/Controllers/GisDataEditorController.php
@@ -7,13 +7,14 @@ declare(strict_types=1);
 
 namespace PhpMyAdmin\Controllers;
 
-use PhpMyAdmin\Core;
 use PhpMyAdmin\Gis\GisFactory;
 use PhpMyAdmin\Gis\GisVisualization;
+use PhpMyAdmin\Http\ServerRequest;
 
 use function array_merge;
 use function in_array;
 use function intval;
+use function is_array;
 use function mb_strpos;
 use function mb_strtoupper;
 use function mb_substr;
@@ -25,19 +26,32 @@ use function trim;
  */
 class GisDataEditorController extends AbstractController
 {
-    public function __invoke(): void
+    public function __invoke(ServerRequest $request): void
     {
         global $gis_data, $gis_types, $start, $geom_type, $gis_obj, $srid, $wkt, $wkt_with_zero;
         global $result, $visualizationSettings, $data, $visualization, $open_layers, $geom_count, $dbi;
 
-        if (! isset($_POST['field'])) {
+        /** @var string|null $field */
+        $field = $request->getParsedBodyParam('field');
+        /** @var array|null $gisDataParam */
+        $gisDataParam = $request->getParsedBodyParam('gis_data');
+        /** @var string $type */
+        $type = $request->getParsedBodyParam('type', '');
+        /** @var string|null $value */
+        $value = $request->getParsedBodyParam('value');
+        /** @var string|null $generate */
+        $generate = $request->getParsedBodyParam('generate');
+        /** @var string|null $inputName */
+        $inputName = $request->getParsedBodyParam('input_name');
+
+        if (! isset($field)) {
             return;
         }
 
         // Get data if any posted
         $gis_data = [];
-        if (Core::isValid($_POST['gis_data'], 'array')) {
-            $gis_data = $_POST['gis_data'];
+        if (is_array($gisDataParam)) {
+            $gis_data = $gisDataParam;
         }
 
         $gis_types = [
@@ -53,17 +67,13 @@ class GisDataEditorController extends AbstractController
         // Extract type from the initial call and make sure that it's a valid one.
         // Extract from field's values if available, if not use the column type passed.
         if (! isset($gis_data['gis_type'])) {
-            if (isset($_POST['type']) && $_POST['type'] != '') {
-                $gis_data['gis_type'] = mb_strtoupper($_POST['type']);
+            if ($type !== '') {
+                $gis_data['gis_type'] = mb_strtoupper($type);
             }
 
-            if (isset($_POST['value']) && trim($_POST['value']) != '') {
-                $start = substr($_POST['value'], 0, 1) == "'" ? 1 : 0;
-                $gis_data['gis_type'] = mb_substr(
-                    $_POST['value'],
-                    $start,
-                    mb_strpos($_POST['value'], '(') - $start
-                );
+            if (isset($value) && trim($value) !== '') {
+                $start = substr($value, 0, 1) == "'" ? 1 : 0;
+                $gis_data['gis_type'] = mb_substr($value, $start, (int) mb_strpos($value, '(') - $start);
             }
 
             if (
@@ -82,10 +92,10 @@ class GisDataEditorController extends AbstractController
             return;
         }
 
-        if (isset($_POST['value'])) {
+        if (isset($value)) {
             $gis_data = array_merge(
                 $gis_data,
-                $gis_obj->generateParams($_POST['value'])
+                $gis_obj->generateParams($value)
             );
         }
 
@@ -116,7 +126,7 @@ class GisDataEditorController extends AbstractController
             ->asOl();
 
         // If the call is to update the WKT and visualization make an AJAX response
-        if (isset($_POST['generate']) && $_POST['generate'] == true) {
+        if ($generate) {
             $this->response->addJSON([
                 'result' => $result,
                 'visualization' => $visualization,
@@ -138,8 +148,8 @@ class GisDataEditorController extends AbstractController
         $templateOutput = $this->template->render('gis_data_editor_form', [
             'width' => $visualizationSettings['width'],
             'height' => $visualizationSettings['height'],
-            'field' => $_POST['field'],
-            'input_name' => $_POST['input_name'],
+            'field' => $field,
+            'input_name' => $inputName,
             'srid' => $srid,
             'visualization' => $visualization,
             'open_layers' => $open_layers,
diff --git a/libraries/routes.php b/libraries/routes.php
index a3b61db272..1e1ac5ea27 100644
--- a/libraries/routes.php
+++ b/libraries/routes.php
@@ -184,7 +184,7 @@ return static function (RouteCollector $routes): void {
     $routes->post('/databases', DatabaseController::class);
     $routes->addRoute(['GET', 'POST'], '/error-report', ErrorReportController::class);
     $routes->addGroup('/export', static function (RouteCollector $routes): void {
-        $routes->addRoute(['GET', 'POST'], '', [ExportController::class, 'index']);
+        $routes->addRoute(['GET', 'POST'], '', ExportController::class);
         $routes->get('/check-time-out', [ExportController::class, 'checkTimeOut']);
         $routes->post('/tables', [DatabaseExportController::class, 'tables']);
         $routes->addGroup('/template', static function (RouteCollector $routes): void {
diff --git a/psalm-baseline.xml b/psalm-baseline.xml
index 318fae1316..e88faca215 100644
--- a/psalm-baseline.xml
+++ b/psalm-baseline.xml
@@ -1861,16 +1861,10 @@
       <code>$whatStrucOrData</code>
       <code>$whatStrucOrData</code>
     </InvalidArgument>
-    <MixedArgument occurrences="55">
-      <code>$_POST['aliases']</code>
-      <code>$_POST['what']</code>
+    <MixedArgument occurrences="46">
       <code>$allrows</code>
       <code>$allrows</code>
       <code>$cfg['MemoryLimit']</code>
-      <code>$compression</code>
-      <code>$compression</code>
-      <code>$compression</code>
-      <code>$compression</code>
       <code>$db</code>
       <code>$db</code>
       <code>$db</code>
@@ -1895,9 +1889,6 @@
       <code>$limit_to</code>
       <code>$remember_template</code>
       <code>$save_filename</code>
-      <code>$separate_files</code>
-      <code>$separate_files</code>
-      <code>$separate_files</code>
       <code>$sql_query</code>
       <code>$sql_query</code>
       <code>$sql_query</code>
@@ -1921,14 +1912,7 @@
     <MixedArrayAssignment occurrences="1">
       <code>$_SESSION['tmpval']['aliases']</code>
     </MixedArrayAssignment>
-    <MixedAssignment occurrences="10">
-      <code>$GLOBALS[$one_post_param]</code>
-      <code>$_SESSION['tmpval']['aliases']</code>
-      <code>$compression</code>
-      <code>$onserver</code>
-      <code>$onserver</code>
-      <code>$selectedCompression</code>
-      <code>$separate_files</code>
+    <MixedAssignment occurrences="3">
       <code>$table_data</code>
       <code>$table_structure</code>
       <code>$tables</code>
@@ -1946,32 +1930,12 @@
     </PossiblyInvalidCast>
   </file>
   <file src="libraries/classes/Controllers/GisDataEditorController.php">
-    <MixedArgument occurrences="9">
-      <code>$_POST['type']</code>
-      <code>$_POST['value']</code>
-      <code>$_POST['value']</code>
-      <code>$_POST['value']</code>
-      <code>$_POST['value']</code>
-      <code>$_POST['value']</code>
+    <MixedArgument occurrences="1">
       <code>$geom_type</code>
-      <code>$gis_data</code>
-      <code>$gis_data</code>
     </MixedArgument>
-    <MixedArrayAccess occurrences="1">
-      <code>$gis_data['gis_type']</code>
-    </MixedArrayAccess>
-    <MixedArrayAssignment occurrences="3">
-      <code>$gis_data['gis_type']</code>
-      <code>$gis_data['gis_type']</code>
-      <code>$gis_data['gis_type']</code>
-    </MixedArrayAssignment>
-    <MixedAssignment occurrences="2">
+    <MixedAssignment occurrences="1">
       <code>$geom_type</code>
-      <code>$gis_data</code>
     </MixedAssignment>
-    <PossiblyFalseOperand occurrences="1">
-      <code>mb_strpos($_POST['value'], '(')</code>
-    </PossiblyFalseOperand>
   </file>
   <file src="libraries/classes/Controllers/HomeController.php">
     <MixedArgument occurrences="7">
diff --git a/templates/gis_data_editor_form.twig b/templates/gis_data_editor_form.twig
index 89d629f95e..e49748d691 100644
--- a/templates/gis_data_editor_form.twig
+++ b/templates/gis_data_editor_form.twig
@@ -22,7 +22,7 @@
             <label for="choice">{% trans "Use OpenStreetMaps as Base Layer" %}</label>
         </div>
 
-        <script language="javascript" type="text/javascript">{{ open_layers|raw }}</script>
+        <script type="text/javascript">{{ open_layers|raw }}</script>
         {# End of visualization section #}
 
         {# Header section - Inclueds GIS type selector and input field for SRID #}
diff --git a/test/classes/Controllers/ExportTemplateControllerTest.php b/test/classes/Controllers/ExportTemplateControllerTest.php
index 8ba5e00b6f..16966ff2a9 100644
--- a/test/classes/Controllers/ExportTemplateControllerTest.php
+++ b/test/classes/Controllers/ExportTemplateControllerTest.php
@@ -7,6 +7,7 @@ namespace PhpMyAdmin\Tests\Controllers;
 use PhpMyAdmin\Controllers\ExportTemplateController;
 use PhpMyAdmin\Export\Template as ExportTemplate;
 use PhpMyAdmin\Export\TemplateModel;
+use PhpMyAdmin\Http\ServerRequest;
 use PhpMyAdmin\Relation;
 use PhpMyAdmin\Template;
 use PhpMyAdmin\Tests\AbstractTestCase;
@@ -62,11 +63,16 @@ class ExportTemplateControllerTest extends AbstractTestCase
         global $cfg;
 
         $cfg['Server']['user'] = 'user';
-        $_POST['exportType'] = 'type';
-        $_POST['templateName'] = 'name';
-        $_POST['templateData'] = 'data';
 
-        $this->controller->create();
+        $request = $this->createStub(ServerRequest::class);
+        $request->method('getParsedBodyParam')->willReturnMap([
+            ['exportType', '', 'type'],
+            ['templateName', '', 'name'],
+            ['templateData', '', 'data'],
+            ['template_id', null, null],
+        ]);
+
+        $this->controller->create($request);
 
         $templates = [
             ExportTemplate::fromArray([
@@ -99,9 +105,11 @@ class ExportTemplateControllerTest extends AbstractTestCase
         global $cfg;
 
         $cfg['Server']['user'] = 'user';
-        $_POST['templateId'] = '1';
 
-        $this->controller->delete();
+        $request = $this->createStub(ServerRequest::class);
+        $request->method('getParsedBodyParam')->willReturn('1');
+
+        $this->controller->delete($request);
 
         $this->assertTrue($this->response->hasSuccessState());
     }
@@ -111,9 +119,11 @@ class ExportTemplateControllerTest extends AbstractTestCase
         global $cfg;
 
         $cfg['Server']['user'] = 'user';
-        $_POST['templateId'] = '1';
 
-        $this->controller->load();
+        $request = $this->createStub(ServerRequest::class);
+        $request->method('getParsedBodyParam')->willReturn('1');
+
+        $this->controller->load($request);
 
         $this->assertTrue($this->response->hasSuccessState());
         $this->assertEquals(['data' => 'data1'], $this->response->getJSONResult());
@@ -124,10 +134,14 @@ class ExportTemplateControllerTest extends AbstractTestCase
         global $cfg;
 
         $cfg['Server']['user'] = 'user';
-        $_POST['templateId'] = '1';
-        $_POST['templateData'] = 'data';
 
-        $this->controller->update();
+        $request = $this->createStub(ServerRequest::class);
+        $request->method('getParsedBodyParam')->willReturnMap([
+            ['templateId', null, '1'],
+            ['templateData', '', 'data'],
+        ]);
+
+        $this->controller->update($request);
 
         $this->assertTrue($this->response->hasSuccessState());
     }
author	Maurício Meneghini Fauth <mauricio@fauth.dev>	2021-09-01 18:52:59 +0300
committer	Maurício Meneghini Fauth <mauricio@fauth.dev>	2021-09-01 18:52:59 +0300
commit	e5e7bd2f95911b92ebdf1a7e357a4477f360e891 (patch)
tree	eae5a597e039307bd47b4eac165a036dbff2981d
parent	4c6061a04ec94ab9eb89040db8495fa3555e534b (diff)